Skip to content
Snippets Groups Projects
Commit ce35cec3 authored by Nick Kralevich's avatar Nick Kralevich Committed by Android (Google) Code Review
Browse files

Merge "Make sure neverallow rules also cover other property types" into nyc-dev

parents ab33c469 45737b9f
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 4 additions and 1 deletion
domain.te
+ 4
1
View file @ ce35cec3
......@@ -288,9 +288,12 @@ neverallow {
neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
# Only the init property service should write to /data/property.
# Only the init property service should write to /data/property and /dev/__properties__
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
neverallow { domain -init } property_data_file:file no_w_file_perms;
neverallow { domain -init } property_type:file no_w_file_perms;
neverallow { domain -init } properties_device:file no_w_file_perms;
neverallow { domain -init } properties_serial:file no_w_file_perms;
# Only recovery should be doing writes to /system
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment